On February 28, 2024, President Joe Biden signed Executive Order 14117. This order aims to protect Americans’ sensitive personal and government-related data from foreign adversaries. It targets specific “countries of concern” identified as potential threats to U.S. national security.
The Need for Executive Order 14117
Data collection has grown exponentially in recent years. With advancements in technology, particularly AI, the risks associated with data have increased. AI can analyze vast datasets and uncover personal details, making it possible to de-anonymize data. This executive order is a response to these growing dangers. It seeks to limit data transfers to countries that could misuse it.
Countries like China, Russia, Iran, and North Korea are identified as threats. These nations have the capability and intent to exploit American data. This order represents one of the most comprehensive efforts to regulate and secure sensitive information.
Key Provisions of the Executive Order
1. Definition of Covered Data and Transactions
The order defines “covered data” as sensitive personal information. This includes genomic data, biometric identifiers, precise geolocation data, personal health information, and financial data. If exploited, this data could have severe consequences for U.S. citizens and government operations. The order also covers “government-related data,” which includes information that could identify government employees, contractors, or sensitive locations.
Transactions involving this data are heavily regulated. These include data brokerage, vendor agreements, employment contracts, and investment agreements, particularly with entities from countries of concern.
2. Restrictions on Data Transfers
The order imposes strict restrictions on transferring sensitive data to foreign entities associated with countries of concern. These restrictions apply to any entity located in these countries or controlled by their governments. The Attorney General, in collaboration with other federal agencies, is responsible for issuing specific regulations to enforce these restrictions. The goal is to prevent any transaction that poses an “unacceptable risk” to U.S. national security.
3. Security Requirements for Transactions
The order mandates that the Department of Homeland Security, through the Cybersecurity and Infrastructure Security Agency (CISA), develop security requirements for handling and storing sensitive data. These standards are intended to mitigate risks associated with permissible transactions involving sensitive data. Even when data must be shared or stored, it must be done securely to reduce the likelihood of exploitation.
Impact on Businesses and Data Brokers
Data brokers and global companies dealing in personal data will be significantly impacted by this executive order. These entities must navigate a complex regulatory environment to avoid violating the new rules. The order could drastically change how data is collected, stored, and transferred across borders. Non-compliance could result in strict penalties.
Businesses must be vigilant in their dealings with foreign partners. They need to ensure that any transaction involving sensitive data adheres to the new regulations. This includes implementing robust data security measures and possibly restructuring foreign engagements to stay within the law.
Broader Implications for U.S. National Security
Executive Order 14117 marks a significant shift in how the U.S. government approaches data security, particularly in international relations. By limiting access to sensitive data, the order seeks to protect not only individual privacy but also the broader national security interests of the United States.
This order is part of a larger strategy to address state-sponsored cyber activities and data espionage threats. By tightening controls over sensitive data, the U.S. aims to reduce the avenues available to adversaries for conducting surveillance or disrupting critical infrastructure.
Looking Forward
Federal agencies will begin drafting and implementing the regulations outlined in Executive Order 14117. Businesses and individuals will need to stay informed about these changes. Public consultations and rulemaking processes will likely shape the final regulations. This will offer stakeholders a chance to influence the new security requirements.
Executive Order 14117 is a comprehensive approach to protecting American data in a global environment that is increasingly hostile. As the order takes effect, it will likely become a cornerstone of U.S. data security policy. It sets a precedent for how nations can protect their citizens’ information from foreign threats.
By safeguarding sensitive data from adversaries, the U.S. is taking a crucial step toward securing its national interests. The order underscores the importance of vigilance in the face of evolving cyber threats. It reaffirms the government’s commitment to protecting its citizens’ privacy and security.
